I hadn't seen sso.tax before, thank you thank you thank you, it is so true!
Glad to see Github there, it is so egregious in its treatment of SSO. First, I would gladly pay additional for SSO integration in Github. But a 425% increase!! It's absurd and insane, and given how there are limitations in other security features I can require (I can't, for example, require hardware token authentication, only generic 2FA), this is borderline criminal.
Pay for additional, enterprise-specific features, I totally understand. But as this site you posted so eloquently describes, when the option is "have shittier security" unless you pay an obscene, bundled markup. This is an area where I do think regulation should be required, not so much at features or pricing but that additional security features shouldn't be permitted to be bundled in, or that SaaS product should have some amount of liability when they don't provide unbundled, table-stakes security features.
We're trying to match feature sets within plans with the company profiles and the stages. It's true we've received quite a few requests to enable SSO in Pro plan, but may you share your use-case or potential use-cases where you need SSO in an early-stage startup?
It's just a security measure. As a founder of a currently 4-person company, I want SSO everywhere I possibly can. It reduces attack vectors, and makes it so much easier to ensure nobody has access when they leave the company. Every product we use that doesn't offer SSO has to be added to our onboarding/offboarding checklists.
It comes down to this: Don't assume companies are incompetent at proper dealings around employee access to products they use just because they're small. These things tend to be correlated, but it hurts small companies trying to deal with this correctly.
Edit - Let me phrase it like this: By locking away account management and security tools you're implicitly stating only large enterprises should care about security.
Don't expect this to change. Most companies realize they can't provide any value for enterprises in that price tier, so they lock SSO behind the most expensive tier. Drives me mad but that's the industry.
But I have found a couple companies that do a sort of "middle-ground" – SSO via SAML2 locked behind some "call us" enterprise BS, but Google Auth available to all.
MailGun does this, and so does Linear. Atlassian charges extra for SSO (via Atlassian Access) but it's just $30 a month or something, so seems totally reasonable even if extra.
This feels like a decent middle ground for smaller companies since it requires zero extra config.
> use-case or potential use-cases where you need SSO in an early-stage startup
In general, keeping track of >1 passwords means giving everyone a password manager and also means you can't integrate with the rest of your endpoint security stuff (like if you use Azure AD, it can check if you are coming from a corporate-owned device and give you different privileges or let you bypass 2FA). There are more creative ways to get people to move to a higher tier rather than locking a essential feature up there. As it is, I can pay for your highest plan or just use PowerApps/Google's equivalent.
Glad to see Github there, it is so egregious in its treatment of SSO. First, I would gladly pay additional for SSO integration in Github. But a 425% increase!! It's absurd and insane, and given how there are limitations in other security features I can require (I can't, for example, require hardware token authentication, only generic 2FA), this is borderline criminal.
Pay for additional, enterprise-specific features, I totally understand. But as this site you posted so eloquently describes, when the option is "have shittier security" unless you pay an obscene, bundled markup. This is an area where I do think regulation should be required, not so much at features or pricing but that additional security features shouldn't be permitted to be bundled in, or that SaaS product should have some amount of liability when they don't provide unbundled, table-stakes security features.